[Buildroot] [PATCH] package/python-django: security bump to version 2.1.9

Peter Korsgaard peter at korsgaard.com
Thu Jun 6 12:20:54 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2019-12308: AdminURLFieldWidget XSS¶

 > The clickable "Current URL" link generated by AdminURLFieldWidget displayed
 > the provided value without validating it as a safe URL.  Thus, an
 > unvalidated value stored in the database, or a value provided as a URL query
 > parameter payload, could result in an clickable JavaScript link.

 > AdminURLFieldWidget now validates the provided value using URLValidator
 > before displaying the clickable link.  You may customize the validator by
 > passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
 > when using formfield_overrides.

 > Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

 > jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
 > Object.prototype pollution.  If an unsanitized source object contained an
 > enumerable __proto__ property, it could extend the native Object.prototype.

 > The bundled version of jQuery used by the Django admin has been patched to
 > allow for the select2 library’s use of jQuery.extend().

 > For more details, see the release notes:
 > https://docs.djangoproject.com/en/dev/releases/2.1.9/

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list